A bug was found in the way bzgrep processes file names. If a user can betricked into running bzgrep on a file with a carefully crafted filename, arbitrary commands could be executed as the user running bzgrep.The Common Vulnerabilities and Exposures project (cve.mitre.org) hasassigned the name CVE-2005-0758 to this issue.

A bug was found in the way bzip2 modifies file permissions duringdecompression. If an attacker has write access to the directory intowhich bzip2 is decompressing files, it is possible for them to modifypermissions on files owned by the user running bzip2 (CVE-2005-0953).

A bug was found in the way bzip2 decompresses files. It is possible foran attacker to create a specially crafted bzip2 file which will causebzip2 to cause a denial of service (by filling disk space) ifdecompressed by a victim (CVE-2005-1260).

Users of Bzip2 should upgrade to these updated packages, which containbackported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released erratarelevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only thoseRPMs which are currently installed will be updated. Those RPMs whichare not installed but included in the list will not be updated. Notethat you can also use wildcards (*.rpm) if your current directory *only*contains the desired RPMs.

Please note that this update is also available via yum and apt. Manypeople find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in theappropriate RPMs being upgraded on your system. This assumes that youhave yum or apt-get configured for obtaining Fedora Legacy content.Please visit http://www.fedoralegacy.org/docs for directions on how toconfigure yum and apt-get.